2.8.x to 2.9 Sudden 411 issues

Hi,

I’m a very new user of HAProxy and am running into an issue when trying to upgrade from 2.8.x to 2.9.

We are running HAProxy on Kubernetes and over the past few weeks we’ve run a few billion messages through our setup (load testing is fun!).

When we try to upgrade to 2.9 we start to get 411’s (the server refuses to accept the request without a defined Content-Length header) in places where we were getting 200’s on 2.8.3 and 2.8.4.

I looked through the release notes and didn’t see anything between 2.8.4 and 2.9 that implied a difference with how those are being handled, but does anyone have ideas? I know there was CVE-2023-40225, but I thought the fix for that was in 2.8.4. When I log the Content-Length header I get 0 though, so maybe that’s it? I’m just confused why it would be an issue for 2.9 but not 2.8.4.

Has anyone else run into this or have ideas?

1 Like

Are you saying that Haproxy is emitting the 411 or your backend server?

In that case, provide the output of show errors on the admin socket.

The fix for CVE-2023-40225 is in haproxy 2.8.2.

Hi, thanks for the response.

We are getting these errors from the backend servers but only after going up to 2.9. 2.8.3 and 2.8.4 are returning 200.

The odd part is “show errors” does not show any errors with malformed HTTP calls on 2.9 or 2.8.x. We sent some purposefully malformed calls (two host headers) and “show errors” caught those.

After updating our logging it looks like only HTTP Posts with 0 or Undefined Content Lengths are being blocked in 2.9. Which is good, but now I’m curious why that isn’t happening in 2.8.3/4. Also curious if there are any configuration doodads we can change to make 2.9 behave like 2.8 while we update our clients and servers.

Thanks!

Can you test 2.8.5 ? This could be a bug. You may have to file an issue on github:

Sure thing, just tested on 2.8.5 and could not repro the issue.

We then tested on the different 2.9dev builds and found that the problem shows up between 2.9dev6 and 2.9dev7.

Thanks, so it sounds like a bug so I should report on Github instead of here. Appreciate the help!

Fixed in 2.9.1 as per:

1 Like